Microsoft Issues Critical Update On URL Spoofing

Microsoft has issued a promised patch for Internet Explorer that addresses a URL spoofing flaw, as well as a critical security hole that could allow crackers to gain control of Internet-connected computers through Javascript links in web pages.

The latest IE update disallows the use of the “@” character in URLs, addressing a snafu which has helped phishing scammers to disguise the Internet address of a fake Web site. Once the update is installed, including the @ symbol in urls will return an “invalid syntax error” message. Internet scammers have been using @ signs in urls to trick bank customers into revealing their account details.

The latest patch also fixes a cross-domain scripting vulnerability in Internet Explorer, through which a remote attacker could bypass security measures that limit the commands that Web-based code can execute on a user machine. The flaw enables a link containing Javascript code to run commands in the Local Machine Zone with user privileges.

Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.